summary refs log tree commit diff
path: root/nixos/modules/services/networking/tailscale.nix
diff options
context:
space:
mode:
authorMichael Hoang <enzime@users.noreply.github.com>2022-11-14 13:23:43 +1100
committerMichael Hoang <enzime@users.noreply.github.com>2022-12-17 22:38:14 +1100
commit68e514ed1cf55451901e8d0edd3e8ee5102d3565 (patch)
treef53f232c29ff46762d510b6d38f9484eb239c634 /nixos/modules/services/networking/tailscale.nix
parente738da1f9508f58555223ef881f5778b3af51db0 (diff)
downloadnixpkgs-68e514ed1cf55451901e8d0edd3e8ee5102d3565.tar
nixpkgs-68e514ed1cf55451901e8d0edd3e8ee5102d3565.tar.gz
nixpkgs-68e514ed1cf55451901e8d0edd3e8ee5102d3565.tar.bz2
nixpkgs-68e514ed1cf55451901e8d0edd3e8ee5102d3565.tar.lz
nixpkgs-68e514ed1cf55451901e8d0edd3e8ee5102d3565.tar.xz
nixpkgs-68e514ed1cf55451901e8d0edd3e8ee5102d3565.tar.zst
nixpkgs-68e514ed1cf55451901e8d0edd3e8ee5102d3565.zip
nixos/tailscale: Add `useRoutingFeatures` option
Diffstat (limited to 'nixos/modules/services/networking/tailscale.nix')
-rw-r--r--nixos/modules/services/networking/tailscale.nix29


1 files changed, 21 insertions, 8 deletions
diff --git a/nixos/modules/services/networking/tailscale.nix b/nixos/modules/services/networking/tailscale.nix
index 26997dd9601..233bfdf9ebf 100644
--- a/nixos/modules/services/networking/tailscale.nix
+++ b/nixos/modules/services/networking/tailscale.nix
@@ -4,10 +4,7 @@ with lib;
 
 let
   cfg = config.services.tailscale;
-  firewallOn = config.networking.firewall.enable;
-  rpfMode = config.networking.firewall.checkReversePath;
   isNetworkd = config.networking.useNetworkd;
-  rpfIsStrict = rpfMode == true || rpfMode == "strict";
 in {
   meta.maintainers = with maintainers; [ danderson mbaillie twitchyliquid64 ];
 
@@ -38,14 +35,23 @@ in {
       defaultText = literalExpression "pkgs.tailscale";
       description = lib.mdDoc "The package to use for tailscale";
     };
+
+    useRoutingFeatures = mkOption {
+      type = types.enum [ "none" "client" "server" "both" ];
+      default = "none";
+      example = "server";
+      description = lib.mdDoc ''
+        Enables settings required for Tailscale's routing features like subnet routers and exit nodes.
+
+        To use these these features, you will still need to call `sudo tailscale up` with the relevant flags like `--advertise-exit-node` and `--exit-node`.
+
+        When set to `client` or `both`, reverse path filtering will be set to loose instead of strict.
+        When set to `server` or `both`, IP forwarding will be enabled.
+      '';
+    };
   };
 
   config = mkIf cfg.enable {
-    warnings = optional (firewallOn && rpfIsStrict) ''
-      Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups. Consider setting:
-
-        networking.firewall.checkReversePath = "loose";
-    '';
     environment.systemPackages = [ cfg.package ]; # for the CLI
     systemd.packages = [ cfg.package ];
     systemd.services.tailscaled = {
@@ -75,6 +81,13 @@ in {
       stopIfChanged = false;
     };
 
+    boot.kernel.sysctl = mkIf (cfg.useRoutingFeatures == "server" || cfg.useRoutingFeatures == "both") {
+      "net.ipv4.conf.all.forwarding" = mkDefault true;
+      "net.ipv6.conf.all.forwarding" = mkDefault true;
+    };
+
+    networking.firewall.checkReversePath = mkIf (cfg.useRoutingFeatures == "client" || cfg.useRoutingFeatures == "both") "loose";
+
     networking.dhcpcd.denyInterfaces = [ cfg.interfaceName ];
 
     systemd.network.networks."50-tailscale" = mkIf isNetworkd {

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-13 19:40:16 +0000